3
Agenda How do we align with other SDOs/Requirements? What are some of our products? –Special Publications –Federal Information Processing Standards –NIST Inter-Agency Reports How do you get these products? Do you have to use these products? Do you want to use these products? Other products available to you from CSD

5
A Way NIST Helps The 800 Series Special Publications –A suite of guidelines to assist with the technological challenges in establishing and maintaining an information security program –Cover a WIDE range of program, process and technology. The RMF and then all the specifics that can “radiate” out from that wheel. –Written with deliberate flexibility to adapt to environments and support missions –Not mandatory for the Federal Civilian Agencies but can be required by other oversight bodies

6
How are SP 800 Docs Made? How we make these –Topics Selected External Drivers e.g. Legislation, OMB Directives, HSPDs. Technology Standards and Guidelines Needs/Gaps Threat Activities Vulnerability Areas Requests from Constituents Results of Research –Multiple Internal Drafts Conducted in the Writing of the Guideline Conducted Outside of the Authoring Team Conducted Outside of the Division –Public Drafts Posted on the Internet for Review and Comment Multiple Public Drafts Used if Necessary –Phase in Period

9
A Way NIST Helps Federal Information Processing Standards –Different than the Special Publications –Federal Standards Required for Use by All Civilian Federal Agencies –Waivers ONLY by the President How we make these –Only Done When Required or Great Compelling Need Required by Legislation (FISMA) Required for Encryption (Compelling Need) Not Done Often Announced Through Federal Register All Comments Publically Posted Must Be Approved by the Secretary of Commerce

12
A Way NIST Helps NIST Inter-Agency Reports (NISTIRs) How we make these –Results of Research –Results of a Workshop, Conference, Forum –Often very Technical in Nature and/or Complement Submissions to Other Professional Publications Non-Binding and Not Required for Implementation –Internal and External Draft Process Follows that of SP 800 Doc.

14
When Do These Apply To You? The Federal Information Security Management Act (FISMA) Says: ( ) ‘‘§ Federal agency responsibilities ‘‘(a) IN GENERAL.—The head of each agency shall— ‘‘(1) be responsible for— ‘‘(A) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of— ‘‘(i) information collected or maintained by or on behalf of the agency; and ‘‘(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;

15
When Do These Apply To You? OMB Says: (http://www.whitehouse.gov/omb/memoranda/fy2007/m07-19.pdf ) Contractor Monitoring and Controls 35. Must Government contractors abide by FISMA requirements? Yes, and each agency must ensure their contractors are doing so. Section 3544(a)(1)(A)(ii) describes Federal agency security responsibilities as including “information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.” Section 3544(b) requires each agency to provide information security for the information and “information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.” This includes services which are either fully or partially provided, including agency hosted, outsourced, and software-as-a-service (SaaS) solutions. Because FISMA applies to both information and information systems used by the agency, contractors, and other organizations and sources, it has somewhat broader applicability than prior security law. That is, agency information security programs apply to all organizations (sources) which possess or use Federal information – or which operate, use, or have access to Federal information systems (whether automated or manual) – on behalf of a Federal agency. Such other organizations may include contractors, grantees, State and local Governments, industry partners, providers of software subscription services, etc. FISMA, therefore, underscores longstanding OMB policy concerning sharing Government information and interconnecting systems. Therefore, Federal security requirements continue to apply and the agency is responsible for ensuring appropriate security controls (see OMB Circular A-130, Appendix III). Agencies must develop policies for information security oversight of contractors and other users with privileged access to Federal data. Agencies must also review the security of other users with privileged access to Federal data and systems.

16
When Do These Apply To You? So, what does that mean? Some Valid Questions to Ask: Am I in some form of data interchange with a civilian agency of the federal government? Do I have a contract with then and what does it say regarding information and information system security? Am I acting on “behalf of that agency?” Is this work for, being represented as, being paid by that agency? What does the agency say and what does your CIO, CISO and GC say? What is my security program and other security requirements? How does that map and/or satisfy the requirements of the civilian agency?

17
What Else Could You Use from NIST/CSD? The National Vulnerability Database (NVD) The Security Content Automation Protocol (S-CAP) The Federal Desktop Core Configurations (FDCC) The NIST Checklist Program FIPS 140 and the Cryptographic Module Validation Program

18
The National Vulnerability Database (NVD)

19
NVD RSS Feeds Common Vulnerability Scoring System

20

21
SCAP Capability validations FDCC Scanner: a product with the ability to audit and assess a target system in order to determine its compliance with the Federal Desktop Core Configuration (FDCC) requirements. By default, any product validated as an FDCC Scanner is automatically awarded the Authenticated Configuration Scanner validation. Authenticated Configuration Scanner: a product with the ability to audit and assess a target system to determine its compliance with a defined set of configuration requirements using target system logon privileges. The FDCC Scanner capability is an expanded use case of this capability. Therefore, any product awarded the FDCC Scanner validation is automatically awarded the Authenticated Configuration Scanner validation. Authenticated Vulnerability and Patch Scanner: a product with the ability to scan a target system to locate and identify the presence of known software flaws and evaluate the software patch status to determine compliance with a defined patch policy using target system logon privileges. Unauthenticated Vulnerability Scanner: a product with the ability of determining the presence of known software flaws by evaluating the target system over the network. Intrusion Detection and Prevention Systems (IDPS): a product that monitors a system or network for unauthorized or malicious activities. An intrusion prevention system actively protects the target system or network against these activities. Patch Remediation: the ability to install patches on a target system in compliance with a defined patching policy. Mis-configuration Remediation: the ability to alter the configuration of a target system in order to bring it into compliance with a defined set of configuration recommendations. Asset Management: the ability to actively discover, audit, and assess asset characteristics including: installed and licensed products; location within the world, a network or enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers. Asset Database: the ability to passively store and report on asset characteristics including: installed and licensed products; location within the world, a network or enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers. Vulnerability Database: A SCAP vulnerability database is a product that contains a catalog of security related software flaw issues labeled with CVEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of software flaws, references to additional information (e.g., links to patches or vulnerability advisories), and impact scores. The user-to-database interaction is provided independent of any scans, intrusion detection, or reporting activities. Thus, a product that only scans to find vulnerabilities and then stores the results in a database does not meet the requirements for an SCAP vulnerability database (such a product would map to a different SCAP capability). A product that presents the user general knowledge about vulnerabilities, independent of a particular environment, would meet the definition of an SCAP vulnerability database. Mis-configuration Database: A SCAP mis-configuration database is a product that contains a catalog of security related configuration issues labeled with CCEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of configuration issues and references to additional information (e.g., configuration guidance, mandates, or other advisories). The user-to-database interaction is provided independent of any configuration scans or intrusion detection activities. Thus, a product that only scans to find mis-configurations and then stores the results in a database does not meet the requirements for an SCAP mis-configuration database (such a product would map to a different SCAP capability). A product that presents the user general knowledge about security related configuration issues, independent of a particular environment, would meet the definition of an SCAP vulnerability database. Malware Tool: the ability to identify and report on the presence of viruses, Trojan horses, spyware, or other malware on a target system

22
FDCC

23
FIPS 140 ● When selecting a module from a vendor, verify that the application or product that is being offered is either a validated cryptographic module itself (e.g. VPN, SmartCard, etc) or the application or product uses an embedded validated cryptographic module (toolkit, etc). ● Ask the vendor to supply a signed letter stating their application, product or module is a validated module or incorporates a validated module, the module provides all the cryptographic services in the solution, and reference the modules validation certificate number. ● The certificate number will provide reference to the CMVP lists of validated modules. 12

24
How to reach us LooLoo 11 Look in the doc for the primary author: CALL THEM